If you are one of the many IdPs that already supports CILogon, it is very easy to convert your CILogon configuration to a more general R&S configuration since the attribute requirements for CILogon are precisely those attributes required for support of R&S.
Software Requirements
The software requirements for the upgrade described here include Shibboleth IdP v2.3.4 or later. First read how to configure your Shibboleth IdP to support R&S before continuing.
Your current CILogon configuration probably looks something like this:
<afp:AttributeFilterPolicy id="releaseToCILogon"> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://cilogon.org/shibboleth"/> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>
Simply replace the CILogon entityID with the R&S entity attribute:
<afp:AttributeFilterPolicy id="releaseToRandS"> <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <!-- this assumes your deployment of ePPN is non-reassigned, otherwise you MUST release ePTID as well --> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>
That's it, you're done. Congratulations, you've just given your users access to all R&S SPs.
To have your IdP added to the list of IdPs that support R&S, fill out this short form (just 6 questions) that declares your willingness and ability to support R&S. Once this is done, your IdP will be added to the list, normally within one business day.